CVE-2026-33311
SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials
Description
## Summary SVG attribute values derived from user-supplied options (`backgroundColor`, `fontFamily`, `textColor`) were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting (XSS) when applications pass untrusted input to `createAvatar()` and serve the resulting SVG inline or with `Content-Type: image/svg+xml`. ## Affected packages - **`@dicebear/core`** — `backgroundColor` option values interpolated into SVG attributes without escaping (affects `solid` and `gradientLinear` background types) - **`@dicebear/initials`** — `fontFamily` and `textColor` option values interpolated into SVG attributes without escaping ## Fix All affected SVG attribute values are now properly escaped using XML entity encoding. Users should upgrade to the listed patched versions. ## Mitigating factors - Applications that validate input against the library's JSON Schema before passing it to `createAvatar()` are not affected - The DiceBear CLI validates input via AJV and was not vulnerable - Exploitation requires that an application passes untrusted, unvalidated external input directly as option values
How to fix CVE-2026-33311
To remediate CVE-2026-33311, upgrade the affected package to a fixed version below.
- —upgrade to 5.4.4 or later
- —upgrade to 5.4.4 or later
Is CVE-2026-33311 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 5.0.0, < 5.4.4
- >= 5.0.0, < 5.4.4